- GDPR applies to any business that processes personal data of EU residents — regardless of where the business is based.
- For small businesses, compliance comes down to six areas: lawful basis, data mapping, consent, individual rights, breach response, and vendor management.
- This is a practical starting point — not legal advice. For complex situations, consult a data protection specialist.
GDPR came into force in 2018 and has been enforced with increasing seriousness since. Fines issued to large organisations attract headlines, but small businesses are not exempt — and many remain significantly under-prepared, not because they’re indifferent to compliance, but because the regulation feels complex and the guidance is often written for large organisations with dedicated compliance teams.
This checklist is different. It focuses on the six areas that matter most for a small service business — the ones a regulator will focus on if you ever face a complaint or audit. Work through each section and you’ll have a meaningful baseline of GDPR compliance, not just a policy document.
This is not legal advice. GDPR compliance requirements vary by jurisdiction, business type, and the nature of the personal data you process. This checklist provides a practical framework. For complex situations, regulated sectors, or cross-border data transfers, consult a qualified data protection practitioner.
Area 1: Lawful basis for processing
Every time your business processes personal data, it needs a lawful basis for doing so. The most common ones for small service businesses are: contract (you need the data to fulfil a contract with the person), legitimate interests (you have a genuine business reason that doesn’t override the person’s rights), and consent (the person has explicitly agreed).
Identify every type of personal data you process — client names, contact details, financial information, identification documents, employee data.
Document the lawful basis for each type — contract, legitimate interests, legal obligation, consent, or vital interests. “We have it” is not a lawful basis.
Ensure your privacy notice explains your lawful basis — in plain language that a non-lawyer can understand.
If relying on legitimate interests, complete a Legitimate Interests Assessment — document why your interests outweigh the individual’s privacy rights.
Area 2: Data mapping
You can’t protect data you don’t know you have. Data mapping means understanding what personal data you hold, where it is, who can access it, and how long you keep it. For a small business, this is often a simple spreadsheet exercise. The output is called a Record of Processing Activities (ROPA) — which is technically required for businesses with 250+ employees, but practically useful for any business as a compliance foundation.
List every system where personal data is stored — CRM, email, accounting software, HR system, cloud storage, paper files.
For each system, record: what data, whose data, why you have it, how long you keep it, who can access it.
Identify any data held on personal devices or personal email accounts — this is a common gap in small businesses.
Confirm retention periods are documented and enforced — data that isn’t deleted when it should be is a compliance risk.
Area 3: Consent
If you rely on consent as your lawful basis for any processing (especially for marketing), that consent needs to meet GDPR’s standard: freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and vague “by signing this form you agree to everything” language does not qualify.
Marketing emails require explicit opt-in consent — not a pre-ticked checkbox, not inferred from a prior purchase.
Consent records are stored — you can demonstrate who consented, when, and to what.
Withdrawing consent is as easy as giving it — every marketing email has an unsubscribe link that actually works.
Consent for children under 16 (in most EU states) requires parental consent — if your service could be used by minors, this requires specific attention.
Area 4: Individual rights
GDPR gives individuals a set of rights over their personal data. Your business needs a process for handling each of them. The most commonly exercised are the right to access (subject access requests), the right to erasure (“right to be forgotten”), and the right to correction.
You can respond to a Subject Access Request within 30 days — this means you know where all personal data relating to an individual is held and can retrieve it.
You have a process for erasure requests — including understanding which data you have a legal obligation to retain and cannot erase even if asked.
Your privacy notice explains how to exercise rights — individuals should be able to find out how to make a request without having to call or search your website.
You do not charge for subject access requests — the default is free; only manifestly unfounded or excessive requests can attract a fee.
Area 5: Data breach response
A data breach — whether a laptop is stolen, an email is sent to the wrong person, or a system is accessed without authorisation — must be reported to your supervisory authority within 72 hours if it’s likely to result in a risk to individuals’ rights and freedoms. This 72-hour clock starts from when you become aware of the breach.
You know who your supervisory authority is — the ICO (UK), the DPC (Ireland), CNIL (France), or the relevant authority for your member state.
You have a documented breach response process — who is notified internally, who makes the external notification, what information is needed.
Staff know what constitutes a breach and who to tell immediately — a team member who accidentally sends a client email to the wrong address needs to know to report it that day, not next week.
You maintain a breach register — even breaches that don’t require external notification should be logged internally.
Area 6: Vendor management
Every third-party system or service provider that processes personal data on your behalf is a “data processor” — and you are responsible for ensuring they handle that data in compliance with GDPR. This includes your CRM, email platform, cloud storage, accountancy software, and any other service that holds client or employee data.
You have Data Processing Agreements (DPAs) with all processors — most reputable SaaS vendors provide these automatically; check your account settings or contact their compliance team.
You know where each vendor stores data geographically — transfers of personal data outside the UK/EEA require specific safeguards (Standard Contractual Clauses or an adequacy decision).
You have a process for vetting new vendors — before signing up for any new tool that will process personal data, someone checks the DPA and data residency position.
Former vendors: confirm data deletion on contract end — when you stop using a service, request written confirmation that your data has been deleted.
Where to start if this feels overwhelming: Pick the highest-risk area first. For most small service businesses, that’s vendor management — specifically, understanding where client data is being stored by third-party tools. One afternoon reviewing your main vendors’ DPAs and data residency policies is a meaningful improvement even before you tackle everything else on this list.
GDPR-ready client data management
HubSecure is built for professional service firms that handle sensitive client data — with EU hosting, audit trails, access controls, and data retention tools built in.
Reserve your founding seat